Not 100% sure what your aiming for. A test plan may vary very much depending on what kind of enviroment and scope you are testing. E.g. a web application may have a completely different test plan than a permiter network test.
–
Chris Andrè DaleJul 12 '12 at 11:36

What i am more interested in is what should be in a test plan? Like should i mention the test methodologies? Should I create one out of STRIDE? How? I mean is there even a book? a course on that?
–
smileyJul 12 '12 at 12:16

6 Answers
6

NIST 800-53A and NIST 800-115
That's not strictly a test plan, but it is a catalog of the elements of a test plan. If you're working with a government system, that is a list of test standards for the security controls. If you're working on a commercial system, it is a catalog of resources.

Abrams appears to be an example; you can find more by searching for Security Test & Evaluation Plans on Google.

Ultimately however, I think they all miss the mark. Modern security test plans should be done on the basis of risk. In my opinion, you should perform your risk assessment, identify the top N risks, and then develop a standard project plan to test/validate those risks within the resources available ($$, time, expertise, etc.).

Standards/policies, risk assessment and threat modeling should drive out a set of key risks and controls to mitigate them. What these consist of will depend on what is being delivered.

A test plan should fundamentally set out to evidence these controls. Penetration/vulnerability testing is only part of this. Other aspects could be code/build/configuration review, aspects of functional testing to ensure expected capabilities are present, 3rd party assurance and standards compliance.

This happens to be very pet question from security management perspective. For me it has happened in cases where I'm magically suppose to bring 'a PLAN' which solves all of the management worries. The plan by the definition demands focus and attention to specific details. A successful plan would ALWAYS matches its purpose , efforts and the results it delivers

Let me explain you further.

Firstly, a plan basically should work like a small project have all the ingredients of what should compromise as an effective and cost-effective project. Just like in any project you would discuss

Project Scope

Requirements

Objectives

Resources

List item

Design / Proposed solution

Deliverable

Project performance metrics / KPI

Documentation

Similarly, any plan for that matter should have a decent
foot-print of an effective project management activities and planning.

Your statement would have made just the perfect contextual sense; if you added something like i want a testing plan for xyz. XYZ here is arbitrary can be but not limited to:-

Like given and explained in OWASP testing guidea plan or series of test cases which would be prepared to test compliance if the programmer has followed OWASP secure coding guidelines or not.

By saying this i mean a plan can be used , prepared and mentored to test just about anything that fits the requirements and objectives.This is the reason, you would see esp in security that there is a plan or a methodology for everything. Another example there could be made a plan that test on a regular basis your organization access point configuration to weak encryption protocols /standards (WEP) also a plan that does check specifically on unencrypted remote management services (e.g telnet) using a tool (e.g) NESSUS. In lay man terms means, whenever there are two different systematically and environment desperate inputs involved there would always be two plans involved not one. For example. It makes perfect sense depending upon the critical of the use of particular industrial equipment the manufactures could mandate two separate test plans and strategies for nuts and bolts resistance to stresses at rest (hit by fast moving object) and also its resilience of the same thing happening when its motion.

Secondly, a key point related to plans; is there a clean and distinct description of types of tests performed and the expected results. Usually these results are aligned or mapped with an already prepared METRICS to have an understanding on the level of success or failure achieved in performing these tests.

Lastly, you asked about stuff / things that goes in a PLAN. Saying if you have done your homework and know what goes where. You can start with the following outline.